The dreaded Shamoon malware is back to haunt Saudi Arabia; therefore, the government has wasted no time in issuing a warning alert to a number of organizations. This time Shamoon’s new variant Shamoon 2 has been identified to be circulating and affecting Saudi organizations, according to CrowdStrike, an American cybersecurity technology company.
Adam Meyers, CrowdStrike VP, stated that the hackers were probably working on behalf of “Iranian government” previously as well as in the recent attacks. Meyers also said that it was quite possible that they “will continue.”
It is worth noting that Shamoon is a malware that wipes data from disks quite efficiently and gains total control of the computer’s boot record due to which the PC cannot be switched on.
In 2012, Shamoon virus was launched against the Saudi Aramco, a national petroleum and natural gas company based in Dhahran and it managed to destroy data from 35,000 computers. Then in November 2016, a variant of Shamoon malware was used to attack more than six organizations in Saudi Arabia including the Saudi aviation regulator and all the computers were destroyed. The files were overwritten with a picture of a 3-year old Syrian refugee boy’s dead body, which was found lying on the beach. According to a report from the Al Ekhbariya TV, this time around, 15 government agencies and organizations have been targeted with Shamoon 2.
Sadara, the joint venture of Saudi Arabian Oil and Dow Chemical from Michigan is among the victims of Shamoon 2. Sadara has reportedly, taken down the entire computer network on Monday and its service is still down. However, this hasn’t affected the operations of Sadara at all, said a spokesperson.
Sadara's network disruption was a result of cyber attack experienced by multiple entities in KSA as announced by the regulatory authorities
— Sadara | صدارة (@Sadara) January 25, 2017
Saudi TV reported that the Saudi Technical and Vocation Training Corporation is also targeted, but the company’s spokesperson denied this claim.
Reuters stated that a majority of the affected companies are located in Jubail, the Saudi petrochemical industry hub. The companies have experienced “network disruptions” and are trying to shut down their systems to protect their data from Shamoon 2 virus. However, Reuters did not specifically name any of the firms.
While discussing Shamoon malware, the cyber security company Symantec said that “Why Shamoon has suddenly returned again after four years is unknown. “However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”
Currently, it would be too early to pinpoint possible perpetrators of the attack, but the possibility cannot be ruled out that nation-state attackers are involved. In 2012, Iranian hackers were blamed for the Shamoon attacks. However, the Saudi government hasn’t named or accused anyone as of now. Considering the hostile relationship that Saudi Arabia and Iran share, we can speculate that Iran might be involved this time too.
Khaled Aba Al-Khail, the Saudi Ministry of Labor spokesperson, stated that the Ministry of Labor and Human Resources Development Fund’s computers have also been affected by Shamoon 2. The security agencies are currently coordinating with the Ministry of Interior’s National Center for Cybersecurity to analyze the situation.